Forum Discussion

Lazar_92526's avatar
Lazar_92526
Icon for Nimbostratus rankNimbostratus
May 22, 2013

SQL-INJ "drop Schema" reporting in ASM 11.3

All,

 

 

In our 11.3 ASM, we triped an attack signiture detected for the following. Looking to understand why this registered? I see schema included as part of the parameter value, but is that enough to say this may be an attack?

 

 

"wresult=2013-05-21T15:23:30.278Z

 

app sec
BIG-IP Access Policy Manager (APM)
security

5 Replies

  • Chris_Campbell1's avatar
    Chris_Campbell1
    Icon for Cirrus rankCirrus
    May 22, 2013
    If you know the sig-ID you can pull the actual signature from the ASM database and see exactly why it matched.
  • Lazar_92526's avatar
    Lazar_92526
    Icon for Nimbostratus rankNimbostratus
    May 22, 2013

    I did, and when I did a view details, I got the following for detected keywords

     

     

    wresult=0x20xlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">0x20xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-05-21T15:23:30.278Z

     

  • Chris_Campbell1's avatar
    Chris_Campbell1
    Icon for Cirrus rankCirrus
    May 23, 2013
    Depending on the signature it can be a keyword type or a regex type (you can see all the signature options here: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_apx_attack_sig_syntax.html1005373) so it's certainly enough to say that if the signature was matched then a suspicious value was found. Having said that you need a full understanding of the application to say whether the particular match was a false positive or not. Usually the source of the attack gives you some clue, was this from an authenticated user? Can you find out who that user is and speak to them?
  • Lazar_92526's avatar
    Lazar_92526
    Icon for Nimbostratus rankNimbostratus
    May 23, 2013

    Chris,

     

     

    This is coming from the default signature (see below) and not a customized one. Do the default sigs just trip on keywords?

     

     

     

    Signature Properties

     

    Name SQL-INJ "DROP SCHEMA" (Parameter)

     

    ID 200002283

     

    Signature Type Request

     

    Apply to Parameter, XML, JSON, GWT

     

    Attack Type SQL-Injection

     

    Systems General Database IBM DB2 Microsoft SQL Server MySQL Oracle PostgreSQL Sybase/ASE

     

    Accuracy High

     

    Risk High

     

    User-defined No

     

    Revision 1

     

    Last Updated 02/05/2013

     

    Documentation View

     

    References www.owasp.org/index.php/SQL_Injection www.webappsec.org/projects/threat/c...tion.shtml

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 24, 2013
    Hi Lazar,

     

     

    The signature is looking for drop and schema and a fairly complex regex. It's not just looking for those two key words.

     

     

    If you're seeing false positives on just one parameter, I'd disable the signature on a new global parameter with that name. If you're seeing false positives on several parameters, you could disable the signature across the policy.

     

     

    Aaron